CVE-2025-68876

2025-12-29 [email protected]
XSS Information Disclosure

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 29, 2025 - 16:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in INVELITY Invelity SPS connect invelity-sps-connect allows Reflected XSS.This issue affects Invelity SPS connect: from n/a through <= 1.0.8.

AnalysisAI

Reflected cross-site scripting (XSS) in INVELITY Invelity SPS connect WordPress plugin through version 1.0.8 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation and carries an extremely low exploitation probability (EPSS 0.04th percentile), suggesting minimal real-world attack motivation despite the CVSS scoring absence.

Technical ContextAI

This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) affecting the Invelity SPS connect WordPress plugin. The plugin fails to properly sanitize or validate user-supplied input before echoing it back in HTTP responses, allowing attackers to craft malicious URLs containing arbitrary HTML and JavaScript that execute in the browser context of victims who click the link. WordPress plugins are particularly prone to such flaws when they process query parameters or form data without adequate escaping functions like esc_attr(), esc_js(), or wp_kses_post(). The vulnerability is reflected (not stored), meaning the payload must be delivered to the target via a crafted URL rather than persisting in the application database.

Affected ProductsAI

INVELITY Invelity SPS connect WordPress plugin versions up to and including 1.0.8 are affected by this reflected XSS vulnerability. The plugin is distributed through the WordPress plugin repository (referenced via patchstack.com database link). No specific CPE string is provided in available data, but the affected component is identifiable as the WordPress plugin with slug 'invelity-sps-connect'.

RemediationAI

Update the Invelity SPS connect plugin to a patched version released after 1.0.8. Check the WordPress plugin repository or the vendor's advisory at https://patchstack.com/database/Wordpress/Plugin/invelity-sps-connect/vulnerability/wordpress-invelity-sps-connect-plugin-1-0-8-reflected-cross-site-scripting-xss-vulnerability for the specific fixed version number. If an update is not yet available, disable or remove the plugin until a patch is released. Site administrators should verify the plugin's purpose aligns with their needs before re-enabling it post-patch, and audit any user input handling in custom code for similar XSS issues.

Share

CVE-2025-68876 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy